Forum Discussion
hooleylist
May 22, 2008Cirrostratus
A minor note: [HTTP::host] won't contain the protocol, so you can remove "http://" from the switch cases.
If the developers want to verify SSL was used for some pages, you could insert a new HTTP header in requests which were received through the HTTPS VIP. This could be done on the HTTP profile of the HTTPS VIP (or in an iRule). You'd want to remove any instances of this custom header from the HTTP VIP to make sure malicious clients couldn't force a request to be interpreted as HTTPS when it was HTTP. The application would then need to check for this additional HTTP header to determine whether the client to BIG-IP connection was over SSL or not.
Normally, you might consider passing the full certificate in a header if the clients were presenting a client certificate when connecting to the VIP. I'm not sure what the point of passing the SSL cert installed on the VIP to the app would be.
HTTP example:
when HTTP_REQUEST {
Remove all existing HTTP headers with our name
while {[HTTP::header exists Https-Enabled]}{
HTTP::header remove "Https-Enabled"
}
}
Aaron